Credit Unions Need to be More Proactive in Cybersecurity

Credit unions and banks have been targeted and damaged by high-profile cybersecurity incursions, resulting in a loss of consumer confidence and a move by credit unions to upgrade security measures in the constant battle against criminal hackers.

Security threats exist at multiple points, whether via targeting the customer or as a direct threat from hackers against the industry. Problematic links in the chain range from mobile device/application vulnerabilities and email scams to ATM threats and attacks on internal credit union systems, among many others.

One important, industry-wide tool credit unions are implementing is penetration testing, conducting ongoing self-evaluation of systems, processes and policies in an effort to stay ahead of hackers. However, penetration testing is not being implemented often enough to independently serve as a reliable means of security against dynamic, rapidly changing threats.

Credit union executives should take note of a recent report on banking cyber security by the New York State Department of Financial Services that can be extrapolated to credit unions. It found that while 100% of large and medium-size institutions surveyed and 91% of small institutions undertake penetration testing, only 9% of all institutions do so quarterly and only 4% do so monthly.

All others, 87%, only penetration test on an annual basis. Unfortunately for credit unions and consumers, hackers work and evolve cybercriminal activity on a daily basis.

The thinking of credit union leaders should change to a much more aggressive approach against advanced persistent threats. It's essential to identify new threats ahead of time while they are being developed and discussed by hackers in the deep web.

This more aggressive approach, called active threat intelligence, is needed to fill the gaps in penetration testing and implement a dynamic cyber security program. It's often the case that hacks are not noticed by credit unions or consumers until weeks or months after the intrusion, creating far more problems.

Credit unions should monitor the deep web to identify vulnerabilities before they are exploited by criminal hackers. Only by staying ahead of hackers with advanced persistent defenses on an ongoing basis can credit unions have a chance to combat nefarious activities.

It's similar to having a tornado warning; even a bit of notice can go a long way. It's important to have time to understand each threat and prepare countermeasures.

This type of aggressive cybersecurity is not typically implemented by traditional information technology departments, but by ethical hackers who work and lurk in the same places as criminal hackers, but use information to protect businesses and consumers. Ethical hackers monitor and participate in message boards, chat rooms and other online sites, as well as hacking conferences, where the most current information on what's coming next appears before criminal techniques are implemented.

This is much the way some of the best police or intelligence sources are on the streets or in the field, closest to the action. In this way, ethical hackers create the warning time needed to implement defenses to emerging threats.